Jump to content
Welcome to our new Citrix community!

Smart access for user coming in via this NetScaler Gateway Virtual Server and members of this AD Group

Joseph Crosley

Recommended Posts

I want to create a Policy (in Studio) to allow users to copy and paste from Client end Point  in and out of the Session if they come in via one of my NetScaler Gateway Virtual Server and are a member of an AD Group .


I have completed the Prerequisites (AAA Max User are 1000, TrustRequestsSentToTheXmlServicePort = true, Call back URL, ICA only) and setup a Policy on the Delivery Controllers.


Within the policy I am filtering on the AD group and Access Control. Within the Access Control I am entering the AG Farm Name giving it the same name of the NetScaler Gateway Virtual Server. I have tried putting * in the AccessConditions but this doesn't seem to wildcard it.


As the rule is simple (if user connects via this NetScaler Gateway Virtual Server and is member of AD group allow copy and paste) then:


Do I need a Session policy that would replace the * in AccessConditions to get this working?

If so how should I set this up? Ideally its just a blank policy with blank profile, right?


Soruce: https://www.carlstalhood.com/smartaccess-smartcontrol-netscaler-11/#smartaccess

I am working with two HA NSGW VS in the DMZ pointing at a NS providing LB to the StoreFront.

Everything is 7.15.3000 and the NS is VPX-1000 on 12.(something, maybe 12.1 can't remember off hand.)


Edit: Found this: https://www.carlstalhood.com/smartaccess-smartcontrol-netscaler-gateway-12/ but still think I need the Session Policy. I can create a Session profile with nothing in it but what does the policy need to look like? Maybe I can implement a (if they are using a Receiver) policy?


Link to comment
Share on other sites

You can filter your Citrix Policy to both Access Control (all Gateway connections) and an AD User Group. Or you can bind a Session Policy to a AAA Group on NetScaler and use the Session Policy name in your Access Control filter.


You'll need another Citrix Policy to disable clipboard since it's enabled by default.

Link to comment
Share on other sites

To add to what Carl says, For smart access on the XD(CVAD) side....


On Gateway...

The session policy on the NS can point to an empty profile (null profile), if you don't have any gateway settings you need to set. Just create a session_prof_null with no configured settings in it.

But the session policy expression will be based on your condition. Usually, this would be an epa scan, but in your case doesn't need to be.

Instead for your scenario, the policy would be true and bound to your AAA group OR if using advanced engine, bound to the vpn vserver with the expression http.req.user.is_member_of("<groupname>") or whatever the expression is actually called.   (If the policy at the group level isn't passing through; try the vpn vserver binding first.)


For smart access on the XD(CVAD) side....

Policy2_noclipboard at priority 2 (lower priority):  applies with no special filters to disable clipboard mapping.

Policy1_clipboardFromGW at priority 1 (higher priority): applies with the Filter on Gateway; meeting condition. Specify the vpn vserver name and policy name.

IF necessary, you could also apply the group filter on XD as well.


Depending on your exact requirements, there may be some other ways to do this.



Link to comment
Share on other sites

Thanks both for the answers.


Just to clear up by default Copy and paste is disabled for my all users. This will be a higher priority policy for users coming in via this gateway.


I've setup the Null Session Profile. Wanted to create a session profile and bind to the vpn vserver and to keep it simple try to remove the need to have an LDAP lookup as this can be performed on the Delivery Controller anyway.


I setup an Expression for the session policy confirming the user was connecting with Receiver (and hence using ICA I hoped?) HTTP.REQ.HEADER("user-agent").CONTAINS("citrixreceiver")


Unfortunately its seems "Advanced VPN Session Policy cannot be bound if Classic VPN Session Policy is already bound to any entity (i.e. aaa user, aaa group, vpn vserver, vpn global)"


So I create a classic session policy "REQ.HTTP.HEADER Agent-User CONTAINS CitrixReceiver" and bound it to the vServer....


So that should be working now. When I look in Director I can see that in my sessions details has no SmartAccess Filters. Maybe I've missed something?


I do have a HA pair of VPX 1000.... and as per https://www.carlstalhood.com/smartaccess-smartcontrol-netscaler-gateway-12/ "make sure you have NetScaler Gateway Universal Licenses allocated to the appliance" 


My "Maximum NetScaler Gateway Users Allowed" is 1000. Can I still do this or do I need a different NetScaler Licence?


Uncheck the box ICA Only

Trust XML

Callback URL

Bang head on wall....

Link to comment
Share on other sites

1) If you set the disable clipboard mapping which applies to all users at a higher priority (lower index/more important) than the override policy, then it will win and you will not get the other policy setting. If the high priority setting says All Users:clipboard:OFF in XenDesktop and the lower Priority policy says SomeUsers:Clipboard:ON.  The Clipboard:off setting for all users overrides the clipboard:ON settings for the specific users you wanted it on for.

In NS Gateway priority 1 overrides 10; 10 overrides 100.

In XD/AD GPO policies priority 1 overrides 10; 10 overrides 100.

High Priority is 1; Low Priority is everything else.


2) Your user-agent contains CitrixReceiver may not be an appropriate expression in this case.  As that policy wouldn't apply if the users connect via the Web Browser.

I would try a simpler config to get it working, and then you can finesse the expressions.


Unless your gateway is handling full vpn sessions, you don't need to work about the distinguishing ICA Proxy vs. non ICA Proxy settings.


If I understand your scenario right, you want clipboard mapping disabled always unless users are a member of a specific group coming from Gateway.

Depending on whether you clipboard on internally (for all users) but off externally for all users (but this one group). Or if you need to only enable clipboard for this one group and from a specific gateway, would affect the final policies. 


So, you might want to restate your exact requirements for internal connections (all other users), external connections (all other users), internal/external for the special group and whether it affects any  gateway connection or only a specific one.  Then we can provide a more concrete recommendation for your actual policy requirements.


Example 1: 

- Clipboard Mapping off for External users (all) except for users in a specific group coming from vpn1.

On the XD Side, the policies would likely be:


pol_enable_clipboard_SpecialGroup: Priority1:  Filter

    User Filter:  GroupA

    SmartAccess Filter:  Gateway meeting conditions:  vpn_vsrv_gateway1; session_pol_allowclipboard

    ** Keep in mind, if any user on this group can get clipboard mapping from any gateway or whether internal/external, you don't need smart access at all, just use the user filter.



pol_disable_clipboardbaseline: Priority 2:  Filter:  unfiltered (to affect all) or user filter like "Domain Users".  Setting:  Clipboard:OFF

** If clipboard should only be dsiabled for external users, change the Filter to:

      User: Domain Users

      Filter:  Gateway connections *:* (all gateways)


As long as this one is lower priority (higher index) than your allow clipboard policy, then this should work.

The TrustXMLServiceRequests setting is required which you said you already have.


One other thing:

And your VPN vserver properties on the NetScaler cannot be set to ICAProxy: Only or you can do smart access. You already have enough gateway/universal licenses it seems.

This setting is when you edit the vpn vserver, expand the basic settings (top section) and then click "more", make sure ICA Proxy [x] isn't checked.







Link to comment
Share on other sites

Thanks for the reply. I think we are getting close to the resolution.


The Studio Policies are working as designed with the correct priority. I have tested allowing Copy and paste with a higher priority policy (Higher than my denied policy) in Studio with the AD group membership and it works.


I have used the User Agent Receiver syntax for the Session Policy because I have a prerequisite that all users from this location must have a certain version of the Local thin client installed. So I don't really want them to use HTML ideally so removing the Copy and paste if they do it helpful really. That's more user social engineering than a technical requirement.


What I would l am trying to do is filter using Smart access for users coming in via this NetScaler Gateway Virtual Server and are members of this AD Group. The Policy is then applied from Studio based on the XML data and Group memberships the Delivery Controllers receive or can look up.


When looking at Director I see no SmartAccess Filter data on the users (is says -none-). I should as a minimum be seeing the Farm AG even if the Session Policy is not applying as ICS only is disabled and the XML file should be passing though, right?



Any ideas why I wouldn't be seeing this?



I think if I resolve the SmartAcess filter data in Director then the Delivery controller will have the correct details on the XML to filter.

Link to comment
Share on other sites

Do you have the vpn vserver set to ICA Proxy ONLY checkbox. (Under the vpn vserver properties (top section)...may have to expand to see.) 

If so, you will not use the SmartAccess policies.


You mentioned licensing, you will need universal licenses for this (aka vpn licenses). But if when you look at your licenses you see both ICA licenses and SSLVPN license ccu numbers, then the vpn licenses means you are covered.


Make sure the vpn vserver/session policy name on the XD enviornment exactly matches the policy on the Gateway.


The only other requirement is TrustRequestsSentToXMLService property needs to be enabled in the XDSite (which you said already was).


So if the policy isn't passing through, your policy binding on the gateway may not be actually be in effect.

A summary of your policies (expressions) and their bindings/priorities on both the NetScaler and the XD Site would help determine if something else is wrong.


The Policies node in director is going to show you your XD policies.  My understanding is your Farm AG (if assigned in XD) would appear hear, I think.

Your SmartAccess Filters will show you the policies from NetScaler.


Link to comment
Share on other sites

ICA only is unchecked as per the articles I referenced


I will investigate the licences again as this is the only unknown. I will maybe Screenshot it but all my reading seems to bring my toward that being ok... but maybe it is as simple as a licence feature... I hope.


The SmartAccess Filter tab that shows -none- in Director I believe should show both the Session Polices past through and the Farm AG as per Screenshots from Google images below:




I'm also sure I saw this on Carl's article and a Citrix article but I can't get to them at the moment. I will have more Monday.


Link to comment
Share on other sites

Yes, to clarify what I was saying before - policies in the XD site affecting your session are in the Policies node.

Session policies applied to your session from the NetScaler Gateway appear in the SmartAccess filters list (whether they are being passed to xd or not.) I didn't clarify that very well.


The fact that you have nothing in the SmartAccess list means something is not passthrough at all.

Link to comment
Share on other sites

I believe (Still needs testing) the Authentication Settings on the NetScaler Gateway Appliance on StoreFront needs not only the Call Back URL to work but also the VServer IP Address (Which is listed as Optional).


I think this is because I have more than one Gateway on the same NetScaler and it need to know which VIP to talk to (or something) even through thats is in the host file for the Call back.


I've put the VIP in the VServer IP on Storefront and I think I maybe seeing the AG Data in Director. I need to just test to confirm.


Maybe Citrix/Carl needs to add that to the Smart Access how to pages. Would have saved me days of pulling my hair out.... anyway... testing now. I will update if this works.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...